RuggedCom Weak Cryptography for Password Vulnerability

CVEs (1)

Remediations

• Versions 3.10.1, 3.9.3, 3.8.5, and 3.7.9 of the ROS firmware with security-related fixes are now available and can be obtained from RuggedCom technical support at (mailto:[email protected])
• ROS v3.11.x, a new firmware release containing additional functionality as well as the same security fixes, will be released within the next few weeks. RuggedCom will release a product bulletin Latest news on ROS Device Security Issue, (http://www.ruggedcom.com/productbulletin/ros-security-page/) to notify customers when it is available.
• To address security issues, the following changes are included in all the new ROS firmware versions: removal of factory account as referenced in ICSA-12-146-01 and NERC Alert A-2012-05-07-01, change default condition of insecure communication services to disabled, improval of security for user account password storage, detection and alarm for weak password strength, and removal of device information from standard login banner.
• Note: These new versions of the ROS firmware remove the factory account and the associated security vulnerability. Customers using these new versions of the firmware should take special care not to lose the user defined password to a device’s administrative account as recovering from a lost administrative password will now require physical access to the device to reset the passwords.
• RuggedCom recommends that customers using ROS versions older than v3.7 upgrade to a newer version. If this is not possible, RuggedCom has indicated that they will address updates to older versions of the firmware on a case-by-case basis.
• Siemens has issued security advisory “SSA-826381: Multiple Security Vulnerabilities in RuggedCom ROS-based Devices” regarding this vulnerability. It can be found on the Siemens ProductCERT advisory Web page. (https://cert-portal.siemens.com/productcert/pdf/ssa-826381.pdf)

Affected Vendors

Affected Products (2)